Modern chemical and hydrocarbon processing plants, oil & gas production facilities, power plants and other similar process plants all have some instrumented systems that ensure functional safety. These are known as Safety Instrumented Systems (SIS for short). This post is about SIS and how you can avoid certain pitfalls while designing them. To those of you who are familiar with design of Safety Instrumented Systems, this may sound too basic, but nevertheless its a useful checklist to have.
1. Keep the big picture in mind. An SIS is a Risk Reduction measure, not an end in itself.
Any large processing plant has a certain degree of inherent risk that is associated with operating it. There is nothing alarming about it. The principle applies to any voluntary human activity, like say driving a car. Driving a car has some risk and to counter this risk, one takes some safety measures (wear seat belts, have air bags, keep tire pressure OK,etc). Similarly one reduces the risk of running a processing plant by employing safety measures, one of which is by having an SIS. Thus an SIS is not the only risk reduction measure.
Secondly the goal of any safety measure (including an SIS) is to reduce the inherent risk of a process to an acceptable level. Keep this principle in mind before jumping straightaway into SIL calculations, quad redundant PLCs, etc. Will this system reduce risk to an acceptable level? Is this the only way to reduce the risk? Will it work? are some of the questions that you should ask.
2. Quantify the inherent risk and the acceptable risk.
Make sure that you know what is the inherent risk of your process (either by calculations, or historical records, or other data). This may be expressed in a variety of ways including FAR (Fatal Accident Rate), Undesired Events per year, reportable accidents per year, worker injuries per year and so on. Now also make sure, that you know what is the acceptable level of risk in the same units. This information can be sourced from your corporate safety department, or risk management team.
Now use the equation
Risk Reduction = Inherent Risk-Acceptable Risk
to give you a measure that will define the amount of risk reduction that your system has to be able to do.
For a comprehensive, easy-to-understand, but very low priced training
course on Safety Instrumented Systems, click here. Free trial available.
3. Get reliability data regarding your process equipment, instruments and systems before you start the design.
There is no sense in working with assumed or other vague figures. If at a later date the basic data was found to be erroneous, the entire exercise of calculating target SILs, verifications, etc will be pointless. Data can be sourced from manufacturers, third party database providers or your own historical data. Take the worst case figures out of the three sources, for your calculations.
4. Keep an eye on Common Cause Failures (CCFs).
It may sound simple and ridiculous, but sometimes we fail to foresee common cause failures, even in large projects that have several hundred engineers working on it. For example, is your BPCS and SIS powered from the same UPS? The same utility feeder? Could it become a CCF? Does your SIS card and BPCS card share a common backplane? What if the backplane fails-say due to ingress of moisture or rodents? Could it become a CCF? Ask these questions at the design stage itself to save yourself tears later.
For an interesting case study on how CCFs can lay low a very expensive and technologically sophisticated program like the International Space Station, here is an interesting link. A single CCF knocked off all redundant computers in the International Space Station, endangering the lives of the astronauts.
5. Keep an eye on the SIS components, especially sensors and final control elements. (Also ensure that your SIS loops do not use substandard components like cheap terminal strips, poor quality lugs, undersized signal wire and such things).
Are you aware that out of all documented failures of SIS loops, only 8% were related to the logic solvers (Safety PLCs) and fully 92% were failures related to sensors and final control elements. Contrast this with the amount of debate, discussion and time that is spent on designing the logic solver part of the SIS (heated discussions on whether we need triple redundant safety PLCs or quad redundant safety PLCs or something even more exotic).
The reality is that very few people focus attention to the non glamorous part of the SIS loop-the transmitter and the automated valves. Very likely they are the same types that are used in the “normal” loops. Is this a correct practice? Should not you be having a higher benchmark for these? Especially since their performance will ultimately decide the reliability of the SIS loop? Also be careful with your terminal strips. A poor quality termination can cause nuisance trips worth millions of dollars-have a better benchmark for these passive components in your SIS loops.
Comments are always welcome. You can also add any more tips that you may wish to share with our readers.